Analysis Overview
SHA256
776eabc814dea61bfdedaf7de00a5c3cfdaf37dded3afe4cefea95809ea159cb
Threat Level: Known bad
The file 2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
xmrig
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 16:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 16:03
Reported
2024-06-11 16:06
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xOXeBeU.exe | N/A |
| N/A | N/A | C:\Windows\System\vsjjejG.exe | N/A |
| N/A | N/A | C:\Windows\System\EkzNIhT.exe | N/A |
| N/A | N/A | C:\Windows\System\BBKGucu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZUSRvrl.exe | N/A |
| N/A | N/A | C:\Windows\System\gIdVNFt.exe | N/A |
| N/A | N/A | C:\Windows\System\UaLzaJr.exe | N/A |
| N/A | N/A | C:\Windows\System\pSXDHLx.exe | N/A |
| N/A | N/A | C:\Windows\System\kqSBAiZ.exe | N/A |
| N/A | N/A | C:\Windows\System\Gxqgmdg.exe | N/A |
| N/A | N/A | C:\Windows\System\aaZFvdI.exe | N/A |
| N/A | N/A | C:\Windows\System\RoRbcst.exe | N/A |
| N/A | N/A | C:\Windows\System\syihfBm.exe | N/A |
| N/A | N/A | C:\Windows\System\oVKQEep.exe | N/A |
| N/A | N/A | C:\Windows\System\AOcYwAA.exe | N/A |
| N/A | N/A | C:\Windows\System\gClBhqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\LTshYQN.exe | N/A |
| N/A | N/A | C:\Windows\System\vtfXGWV.exe | N/A |
| N/A | N/A | C:\Windows\System\tIYSwss.exe | N/A |
| N/A | N/A | C:\Windows\System\ILsBRkq.exe | N/A |
| N/A | N/A | C:\Windows\System\utxPgXA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xOXeBeU.exe
C:\Windows\System\xOXeBeU.exe
C:\Windows\System\vsjjejG.exe
C:\Windows\System\vsjjejG.exe
C:\Windows\System\EkzNIhT.exe
C:\Windows\System\EkzNIhT.exe
C:\Windows\System\BBKGucu.exe
C:\Windows\System\BBKGucu.exe
C:\Windows\System\ZUSRvrl.exe
C:\Windows\System\ZUSRvrl.exe
C:\Windows\System\UaLzaJr.exe
C:\Windows\System\UaLzaJr.exe
C:\Windows\System\gIdVNFt.exe
C:\Windows\System\gIdVNFt.exe
C:\Windows\System\pSXDHLx.exe
C:\Windows\System\pSXDHLx.exe
C:\Windows\System\kqSBAiZ.exe
C:\Windows\System\kqSBAiZ.exe
C:\Windows\System\Gxqgmdg.exe
C:\Windows\System\Gxqgmdg.exe
C:\Windows\System\aaZFvdI.exe
C:\Windows\System\aaZFvdI.exe
C:\Windows\System\RoRbcst.exe
C:\Windows\System\RoRbcst.exe
C:\Windows\System\syihfBm.exe
C:\Windows\System\syihfBm.exe
C:\Windows\System\oVKQEep.exe
C:\Windows\System\oVKQEep.exe
C:\Windows\System\AOcYwAA.exe
C:\Windows\System\AOcYwAA.exe
C:\Windows\System\gClBhqJ.exe
C:\Windows\System\gClBhqJ.exe
C:\Windows\System\LTshYQN.exe
C:\Windows\System\LTshYQN.exe
C:\Windows\System\vtfXGWV.exe
C:\Windows\System\vtfXGWV.exe
C:\Windows\System\tIYSwss.exe
C:\Windows\System\tIYSwss.exe
C:\Windows\System\ILsBRkq.exe
C:\Windows\System\ILsBRkq.exe
C:\Windows\System\utxPgXA.exe
C:\Windows\System\utxPgXA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2800-0-0x00007FF67FD00000-0x00007FF680054000-memory.dmp
memory/2800-1-0x000001A8D71C0000-0x000001A8D71D0000-memory.dmp
C:\Windows\System\xOXeBeU.exe
| MD5 | bbe7cbfcc1eabe61758b7631f2b3f675 |
| SHA1 | ddc82a4c5d375f235e3fa844c55d958887bfaab6 |
| SHA256 | a6e70a618e18541105fdc8fc16b2268222fcb463124db867c28277376bed6240 |
| SHA512 | 208838a914a47fa90767205f783a68e8747479d7b659645056a9698fe655aa40c1aadd13c63d657b4c069fd263ae8811ef1050326d443d3a53a7c40e85e56c5a |
C:\Windows\System\vsjjejG.exe
| MD5 | cee540d513adfc7f033d5af59ab2f2e4 |
| SHA1 | 5eb3ae23bdc228295eb5bfbd2a5a83cd80d14cdd |
| SHA256 | 941535dd98bd2a27839fa17a96492cee074b04cb0199fa0b65d4a4d4d253ae82 |
| SHA512 | 454238cb00b34f06bf72fcc83a766474d3cde9771b8ca36a89f8e29a940182cbcd620a56674875a90c0f10b75d795e3016c96656338f9d8408c1fc19e9fe5782 |
C:\Windows\System\BBKGucu.exe
| MD5 | 197669c5d597e52ff31bb00aa0f64d7d |
| SHA1 | 2f74818042d0d9780d4bd3a412bd7e1fa003b339 |
| SHA256 | 872a6f824d6371e70c6e955eb0f19eb10bc00ac590ba930c0a650b40f54c515d |
| SHA512 | 62d54fd126d09b10b2229edf52c4b7f1edfb125aac7487d0fc2d3d2ca8e9b954d0e80d6bb6c12c66c83940959b9e2e67eaf9a029821d1c730fd3514f82064484 |
C:\Windows\System\EkzNIhT.exe
| MD5 | 2a72176c5c9325551c6fbd73df0aab92 |
| SHA1 | 81d225cf5f31e7ec6711c55593d2beaae7c5bf67 |
| SHA256 | b51d7a394ca08128f54711b08f8149f587c76bcc2efbfaba4f2a2949e71e55ae |
| SHA512 | 2c5be84ee278f3aa4c926d0a9d9ca0eba557bf6f979c4ac9f5bb6fa2e49987558b51a597c7b761e075988601a67ca85183bbbcdd8cb8ac631db74171df505fa4 |
C:\Windows\System\UaLzaJr.exe
| MD5 | abdc2ac91239efb8738f4b902a71ff21 |
| SHA1 | 1c21c33f55a095164b34671eceb2f56e358f31d7 |
| SHA256 | a8c33905fe37db635d97222c4e680070ffe204e4b0bea8cef75e4df322f7822f |
| SHA512 | b52fb07a994fc878faf0da274aa3439a43f997d82e3eb2319e4cb42d8f4a3ebfeabae7d9358b38bf3c6e5478a953e1099471f432a2fcc1980d50711fcad2e274 |
C:\Windows\System\pSXDHLx.exe
| MD5 | 8b5194a3650991f3a2405fcdeb9eb030 |
| SHA1 | 47cf98c2b2e1151e845f73767352212bffbda265 |
| SHA256 | ef1c92cb086ddb188bd80fc54c2fa5962c48e8307af14b2582fa25c09146837f |
| SHA512 | 5088a0cdef59c786406125cd2ea27f538190cbb54c88b1f7921f0233469d6b59c3307b7ddadfff3f349b273e787c53cd3bc4983ee692089159e0298b82676460 |
memory/4288-49-0x00007FF63D9E0000-0x00007FF63DD34000-memory.dmp
C:\Windows\System\gIdVNFt.exe
| MD5 | f8e6eee5e6f8e0551c06c803013aa67c |
| SHA1 | 37f9f0f7689ebf74f392ed196d7d315f46807b94 |
| SHA256 | a5a721a0a9ca6ce45c9d92d2c979565eac63c6c135e4b98c0ba008ebb041b95e |
| SHA512 | 99958216a58e3154216524e8376cecb3c3c441c3ca09f424be31a7b44b3e4d8721965b6de48957eba1d39ff6fa317ee5705351685cd1193967be2944180b5b20 |
memory/976-45-0x00007FF761F20000-0x00007FF762274000-memory.dmp
memory/3876-42-0x00007FF772AF0000-0x00007FF772E44000-memory.dmp
C:\Windows\System\ZUSRvrl.exe
| MD5 | a90ce0fe5d6a843cf4e89bfd87fbae3c |
| SHA1 | ad64be3a118c8a5ad966ffed9b29bd9c8b2ffc5a |
| SHA256 | e740436df57ff9c647a5b36b34eeeeca307e6db27114d1110e9a3d8486a06a95 |
| SHA512 | f489c8c1195667d7c2eae1b0d9418a8a25ad30f604b2d1c9a368b7bce755dac2d45272f383c8166be00daff589033f2fc19d011c8bbb07d9d2645a68ac387567 |
C:\Windows\System\kqSBAiZ.exe
| MD5 | af5b3e2f2a4eb1d7e930c7aeddb298fe |
| SHA1 | a4f4b088aca5bf98b7fb7c751c2c658df022aca7 |
| SHA256 | 21efe20d79b5b869a81d147810f0530d0b1cd66b0af284634acc6a6d415ad891 |
| SHA512 | 6952c084571995d317843d056ee5cf04c24606af9f04fbd30eac6b7c25840cf4902189abbf6d631a04797a0a4148afd3bf3966299e89f58f12f6f708237c02df |
C:\Windows\System\Gxqgmdg.exe
| MD5 | 47fd342eeb3d7e2cb3ddc682bdf02adc |
| SHA1 | 59e137361e299d7676819bb476e6a6a546b97781 |
| SHA256 | 14a2f4ccb68c3ea4f4c69584e705ca6f67744c31e0095e2dec579c11552161da |
| SHA512 | f0b042fdfdbd110672fff2dbaf6419d80a28772371cf100082b7dbef4f5e6dbac9f64a47f703af673e9c02514d860f320caa62252b85bdfbcf17f00ac0ce38ff |
memory/1520-60-0x00007FF73D4F0000-0x00007FF73D844000-memory.dmp
memory/3920-59-0x00007FF683F60000-0x00007FF6842B4000-memory.dmp
memory/3672-37-0x00007FF78A690000-0x00007FF78A9E4000-memory.dmp
memory/4160-31-0x00007FF7DC4F0000-0x00007FF7DC844000-memory.dmp
memory/4616-26-0x00007FF75D180000-0x00007FF75D4D4000-memory.dmp
memory/3612-19-0x00007FF61AA30000-0x00007FF61AD84000-memory.dmp
memory/3924-8-0x00007FF6A8E60000-0x00007FF6A91B4000-memory.dmp
C:\Windows\System\aaZFvdI.exe
| MD5 | 7b1dd7748665354c0342cd2a98242b2e |
| SHA1 | c2b5af3ecb189d4288587eebd3cebedb2fbf8ec6 |
| SHA256 | 6ff754aac259dc45d06a2cd62b70ac99b9cd5a47116e58f6d81091cd62ccca3f |
| SHA512 | 82e366773a310900f1362b96b5323a35daad2ba4a21245160df16376ae95044d47ec4d438cacb04bca37ba95a22d97b9c353c84eff5f15dbf9f3e687d5feab54 |
memory/3848-67-0x00007FF77B7E0000-0x00007FF77BB34000-memory.dmp
C:\Windows\System\RoRbcst.exe
| MD5 | 4b6acb60bd9f6240481df6cfe3174116 |
| SHA1 | 84751da4e29c52d9345f030521339d957ccc2053 |
| SHA256 | 00ab39f1a071b242d7ff7f244765a376d9dffeab8b85ad827b6f3a4d740f9e62 |
| SHA512 | 11cfd04bd093fcd1f3fe6ddfb374e8412a3bb865a091b9863389e958bb5ad466b2f2a49102129b2a5941eb3c62dfbbeba43a87b016340906ad07d233d7090bdc |
memory/1404-74-0x00007FF788270000-0x00007FF7885C4000-memory.dmp
C:\Windows\System\syihfBm.exe
| MD5 | c71885fcee481abff50ea4e1bf89b7c2 |
| SHA1 | bf94b68a2a3972f580b611b868dc55d7719212f9 |
| SHA256 | bdb1a914ad8bcd6e44ec6f57441c1e82d56f5888966d5e7ba87a0b4ba747b160 |
| SHA512 | 83ee17e94ea69d5c327cf6f2fa7f03350a27845234c3826aae797d6f15ad642dab2a2167ccdd7ee0e6d0a37d369a1609e34cd554ce9fe9891de185a5aba68234 |
memory/3088-80-0x00007FF6163B0000-0x00007FF616704000-memory.dmp
C:\Windows\System\oVKQEep.exe
| MD5 | 8ce0046c6dd50645b7d57eaf8aec61a3 |
| SHA1 | a36b5012afa163692457e3bb2993ca338bc4a97d |
| SHA256 | f605d2ca6f1befd317d22736c52e37fc19375359c1f9330fa4f0943639834cda |
| SHA512 | 4020f89ade14c5b5e62e57804009cf6b6d5ad83aeee0a9069863fd7e5cfd6e3bb0d800d58cf132b520407170ad258bcfabfbbacffe81bc333ab742f54722a757 |
memory/4260-84-0x00007FF7C7990000-0x00007FF7C7CE4000-memory.dmp
C:\Windows\System\gClBhqJ.exe
| MD5 | 62b84e859fef4b62c38016153fb2ebb9 |
| SHA1 | b3ea7c99f09dab88d74ecdc1b0e54dc913d4ecbe |
| SHA256 | 3e864d766d2265da500082fb24b4790a429e3f896cf816c32b76c239d125a098 |
| SHA512 | ade05717fc68939c8b5f1736d0639a5eae43d35ffc390440045e3eb7fac0e3dc9dff82bf2792f75fae8a2e16ff1edb236be6fc081359cadd2c361107581fcce7 |
C:\Windows\System\AOcYwAA.exe
| MD5 | b8066a649e2a78d4883df65aab89b6cd |
| SHA1 | e39d2392c3f808f26e7b69cb7ad6b38214119b36 |
| SHA256 | 23b8772ed2f6effd14ee81fa1c595195c17b1ec27ca1de18706031261f17dbb9 |
| SHA512 | c2f6a62d96b001b884046d4cfb44f1ab3a4865ede1a814a558264b67c96f83f14c119dff2cbefe678dc142678a4abb9ef403ab931c3e1dfc70b438e7a4867d79 |
C:\Windows\System\LTshYQN.exe
| MD5 | ee779d930386e3443e98b9890008c806 |
| SHA1 | 220a009815e320055ef3d86de4bc500d6aa4d07d |
| SHA256 | 206f7e0c9493e068c683c728546b027506715ea14b771ee7515daf861819a14e |
| SHA512 | 919fd349559fea07e5ccb861ddc3871f95cd7661d704674c49a0eadec856e70c3370c9c6a09ecc13df0a9ccc4652985584ec3fe38ea9be3b496a7af62d499740 |
memory/4316-99-0x00007FF6DCA40000-0x00007FF6DCD94000-memory.dmp
memory/2236-98-0x00007FF628B30000-0x00007FF628E84000-memory.dmp
memory/2800-93-0x00007FF67FD00000-0x00007FF680054000-memory.dmp
memory/4616-116-0x00007FF75D180000-0x00007FF75D4D4000-memory.dmp
memory/2404-121-0x00007FF610B90000-0x00007FF610EE4000-memory.dmp
memory/3152-122-0x00007FF69A700000-0x00007FF69AA54000-memory.dmp
memory/976-125-0x00007FF761F20000-0x00007FF762274000-memory.dmp
C:\Windows\System\utxPgXA.exe
| MD5 | 15bb6c9b86dcc495e7198f402077ebaf |
| SHA1 | b105ed5734fa339aff72634a0bb78969fefc750d |
| SHA256 | 0c439f79a867f8e5878cabde2d7bcdf9e84d712fcd468e10e501728a1d882c71 |
| SHA512 | d6daaa4813048a30d9d271d8d267a95b66a9a26f4fe101d3f2f9b3f99cda74ea4dcd1b095dcf53070a66e20848dc1a46a50ba23dc8ecc2eab89b2a0f9aaf669f |
C:\Windows\System\ILsBRkq.exe
| MD5 | 7ac96921130eeee4b1063e26dbf65491 |
| SHA1 | 2f0ffdd967c7106473ecb7f18de422fbb40742c4 |
| SHA256 | 6556ce8310a160b0f08770697f044e789284de5d2a9f5d5af68f57a3df5af031 |
| SHA512 | a9537ff85ce4fed1fc1968920b848c7f61e73df8339780d9df2803c710c8861abbce6c08ef80d90aa3a504b42ae00a7bb50e329742e1e59221627032f584b18f |
memory/3876-124-0x00007FF772AF0000-0x00007FF772E44000-memory.dmp
memory/4160-117-0x00007FF7DC4F0000-0x00007FF7DC844000-memory.dmp
C:\Windows\System\tIYSwss.exe
| MD5 | 6e546516f67fdfbecac51cddf6815458 |
| SHA1 | d2a3b63ca1730a3348b1cc34e1e56289419632b9 |
| SHA256 | 4a129467c9560ced459a9ad06dbd12b7e080332ea636dde3cbbbc36a06b04f7e |
| SHA512 | da734279827b95d64fcf780829cdff8d23e3eb0ef68ca396e7525c171c3fa07383005565e99da73efb2f10a60c1c30bdbef8f48463c0289ea87b621c7c247e09 |
C:\Windows\System\vtfXGWV.exe
| MD5 | aaafd947378c668be1397a17bf1fc0a8 |
| SHA1 | 2f0837bba94a6bf6e906ac583fddd051b9a4a9ad |
| SHA256 | d14dd0cc0bbd4a9a62193ec2a527f4881757b180181a94a383d447a9a6c96ba8 |
| SHA512 | f8a1d209b9d6b40dcb5aeef1d5c482eb9f594cf0a31c0edffc8df189b3b14b00454bfa9225baa5dcbe8c0a0179ef83b4d25483d9055e1368a4c41dc2e2197ca0 |
memory/2076-105-0x00007FF7E1640000-0x00007FF7E1994000-memory.dmp
memory/1548-131-0x00007FF701860000-0x00007FF701BB4000-memory.dmp
memory/4288-132-0x00007FF63D9E0000-0x00007FF63DD34000-memory.dmp
memory/2444-133-0x00007FF7D0FD0000-0x00007FF7D1324000-memory.dmp
memory/1520-134-0x00007FF73D4F0000-0x00007FF73D844000-memory.dmp
memory/3848-135-0x00007FF77B7E0000-0x00007FF77BB34000-memory.dmp
memory/1404-136-0x00007FF788270000-0x00007FF7885C4000-memory.dmp
memory/4260-137-0x00007FF7C7990000-0x00007FF7C7CE4000-memory.dmp
memory/2236-138-0x00007FF628B30000-0x00007FF628E84000-memory.dmp
memory/4316-139-0x00007FF6DCA40000-0x00007FF6DCD94000-memory.dmp
memory/2076-140-0x00007FF7E1640000-0x00007FF7E1994000-memory.dmp
memory/3924-141-0x00007FF6A8E60000-0x00007FF6A91B4000-memory.dmp
memory/3612-142-0x00007FF61AA30000-0x00007FF61AD84000-memory.dmp
memory/3672-143-0x00007FF78A690000-0x00007FF78A9E4000-memory.dmp
memory/4616-144-0x00007FF75D180000-0x00007FF75D4D4000-memory.dmp
memory/4160-145-0x00007FF7DC4F0000-0x00007FF7DC844000-memory.dmp
memory/3876-146-0x00007FF772AF0000-0x00007FF772E44000-memory.dmp
memory/4288-147-0x00007FF63D9E0000-0x00007FF63DD34000-memory.dmp
memory/976-148-0x00007FF761F20000-0x00007FF762274000-memory.dmp
memory/3920-149-0x00007FF683F60000-0x00007FF6842B4000-memory.dmp
memory/1520-150-0x00007FF73D4F0000-0x00007FF73D844000-memory.dmp
memory/3848-151-0x00007FF77B7E0000-0x00007FF77BB34000-memory.dmp
memory/1404-152-0x00007FF788270000-0x00007FF7885C4000-memory.dmp
memory/3088-153-0x00007FF6163B0000-0x00007FF616704000-memory.dmp
memory/4260-154-0x00007FF7C7990000-0x00007FF7C7CE4000-memory.dmp
memory/2236-155-0x00007FF628B30000-0x00007FF628E84000-memory.dmp
memory/4316-156-0x00007FF6DCA40000-0x00007FF6DCD94000-memory.dmp
memory/2076-157-0x00007FF7E1640000-0x00007FF7E1994000-memory.dmp
memory/3152-159-0x00007FF69A700000-0x00007FF69AA54000-memory.dmp
memory/2404-158-0x00007FF610B90000-0x00007FF610EE4000-memory.dmp
memory/2444-161-0x00007FF7D0FD0000-0x00007FF7D1324000-memory.dmp
memory/1548-160-0x00007FF701860000-0x00007FF701BB4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 16:03
Reported
2024-06-11 16:06
Platform
win7-20240508-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tlvzjDc.exe | N/A |
| N/A | N/A | C:\Windows\System\iJqbczR.exe | N/A |
| N/A | N/A | C:\Windows\System\dsPirWP.exe | N/A |
| N/A | N/A | C:\Windows\System\bBgnZAJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JlVWZKq.exe | N/A |
| N/A | N/A | C:\Windows\System\SJgLMce.exe | N/A |
| N/A | N/A | C:\Windows\System\WXglVXj.exe | N/A |
| N/A | N/A | C:\Windows\System\WDmHKJb.exe | N/A |
| N/A | N/A | C:\Windows\System\iGaeTQX.exe | N/A |
| N/A | N/A | C:\Windows\System\mOZXdYD.exe | N/A |
| N/A | N/A | C:\Windows\System\vGtgAiN.exe | N/A |
| N/A | N/A | C:\Windows\System\ROVkpKD.exe | N/A |
| N/A | N/A | C:\Windows\System\MPFmyzS.exe | N/A |
| N/A | N/A | C:\Windows\System\uqSVDvA.exe | N/A |
| N/A | N/A | C:\Windows\System\BqrjtmZ.exe | N/A |
| N/A | N/A | C:\Windows\System\XWwwaPG.exe | N/A |
| N/A | N/A | C:\Windows\System\uTeqCvi.exe | N/A |
| N/A | N/A | C:\Windows\System\xxAPyyP.exe | N/A |
| N/A | N/A | C:\Windows\System\IbYGGZb.exe | N/A |
| N/A | N/A | C:\Windows\System\tTKXdnl.exe | N/A |
| N/A | N/A | C:\Windows\System\jzpsZMj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_7ea13dd32b3ca02b9facf1cbf096b9c2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tlvzjDc.exe
C:\Windows\System\tlvzjDc.exe
C:\Windows\System\iJqbczR.exe
C:\Windows\System\iJqbczR.exe
C:\Windows\System\dsPirWP.exe
C:\Windows\System\dsPirWP.exe
C:\Windows\System\bBgnZAJ.exe
C:\Windows\System\bBgnZAJ.exe
C:\Windows\System\JlVWZKq.exe
C:\Windows\System\JlVWZKq.exe
C:\Windows\System\SJgLMce.exe
C:\Windows\System\SJgLMce.exe
C:\Windows\System\WXglVXj.exe
C:\Windows\System\WXglVXj.exe
C:\Windows\System\WDmHKJb.exe
C:\Windows\System\WDmHKJb.exe
C:\Windows\System\iGaeTQX.exe
C:\Windows\System\iGaeTQX.exe
C:\Windows\System\mOZXdYD.exe
C:\Windows\System\mOZXdYD.exe
C:\Windows\System\vGtgAiN.exe
C:\Windows\System\vGtgAiN.exe
C:\Windows\System\ROVkpKD.exe
C:\Windows\System\ROVkpKD.exe
C:\Windows\System\uqSVDvA.exe
C:\Windows\System\uqSVDvA.exe
C:\Windows\System\MPFmyzS.exe
C:\Windows\System\MPFmyzS.exe
C:\Windows\System\BqrjtmZ.exe
C:\Windows\System\BqrjtmZ.exe
C:\Windows\System\XWwwaPG.exe
C:\Windows\System\XWwwaPG.exe
C:\Windows\System\uTeqCvi.exe
C:\Windows\System\uTeqCvi.exe
C:\Windows\System\xxAPyyP.exe
C:\Windows\System\xxAPyyP.exe
C:\Windows\System\IbYGGZb.exe
C:\Windows\System\IbYGGZb.exe
C:\Windows\System\tTKXdnl.exe
C:\Windows\System\tTKXdnl.exe
C:\Windows\System\jzpsZMj.exe
C:\Windows\System\jzpsZMj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1580-0-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1580-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\tlvzjDc.exe
| MD5 | 2e69cfd254b146ca8058a3a6165bba0b |
| SHA1 | f5eadddb8c42f277fdd7a5763b6740df6ee107dc |
| SHA256 | 44a949f9361cc09fa4b31d732676d1de2ce5d1cbffc93704a1dd9360d9d3b8f1 |
| SHA512 | c1e72b5be6e61547dee48de512fe0d119c80ef3f8f42b1d16479f439ec6a5927de732597f2323bf4b15e52ed5753d638b3bf93e0a97e3b2419cc188bc48276c8 |
memory/3000-8-0x000000013FF70000-0x00000001402C4000-memory.dmp
\Windows\system\iJqbczR.exe
| MD5 | 945c2ad0407ffe2be4cd40b6a5cd8e9a |
| SHA1 | f272c2a97a959dfea495014f41158e0406e3be25 |
| SHA256 | 727a84eb3595c588f791414068888062e17fffa586c1c43b66a895346b1d4d69 |
| SHA512 | 7a0d2f07a34e3cd3b451eae3a39b6da29b3ef1741328d6615bf8d8c00d56f2362c96fab142059da2d357bdd99692557847bf950f4fcde7b643cf0c1158e3e60f |
memory/2600-14-0x000000013F130000-0x000000013F484000-memory.dmp
memory/1580-13-0x000000013F130000-0x000000013F484000-memory.dmp
C:\Windows\system\dsPirWP.exe
| MD5 | 5a4362c5fc087db7da2fe5e6e6e9088e |
| SHA1 | b6a42df53d2ea32682fab541071909a9130c19e5 |
| SHA256 | 30a5acbed631d694f52ee405e0808cbad9432b9f7c55dbe9ce26c86a5b1e949d |
| SHA512 | 22d0c6e2c9fad263ebc2b9a56959400613568957ca2e4784fb56e9a9191df34674587454d0f89e7a3287a5ad5c3ab60de8f372a190c07c240f4e015fa6e78e47 |
memory/2712-22-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/1580-20-0x0000000002480000-0x00000000027D4000-memory.dmp
C:\Windows\system\bBgnZAJ.exe
| MD5 | 7be7385c3ad9a675549c65f1be86fba2 |
| SHA1 | 1b2b54126e332631713643f0b6a4e472ba1778f2 |
| SHA256 | 9dc3f8ef8b0414e6fd49bce1535d6c6437ba0e4d5d4440f2dd7037202be46e0e |
| SHA512 | f1c1e73b1db09414b6d866e7c7832f989f17b2dc050f656b229906d7dcb1642a6d2b7b3d7285778fe2fdc681a54c119dc93ec315eed1855a1b7803ebcaf677c7 |
memory/1580-28-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2588-29-0x000000013F940000-0x000000013FC94000-memory.dmp
\Windows\system\SJgLMce.exe
| MD5 | 0bc61ccbfc88312c1482e0b1363d3e9b |
| SHA1 | d9a3e747801e159c507a8ea4d7bb404d0c007877 |
| SHA256 | 40e76c46ea82b6b0c875149c97a7889d296973b0114192d7fdc18a8ed94a970a |
| SHA512 | 17e368e9f7bd909fb3a9ca0445620b6d94195ddc3b82483ecc953313191c2bed9ab5da7c28afffec314f764339f569250f29e4b0484a5643bc50e852111ce661 |
memory/2976-36-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1580-34-0x0000000002480000-0x00000000027D4000-memory.dmp
C:\Windows\system\JlVWZKq.exe
| MD5 | fa97dc67ec702afcd0a642c4a6e0c613 |
| SHA1 | beb203b1a7efffeabda3986350b7fb9bde6ed72e |
| SHA256 | 43735b3de27aac3c952d13236d296b2d74544482ecb2f7271c94bc68ac1751a8 |
| SHA512 | 58349d712a89df1d4302b01a213fc0fd124d4a8595b89ac9bd02ef4ea12cff73dfc1f83eafd5fdb3d2540a2499e89b458b63ecc3ad8e5bf1e65d69ef6c328519 |
C:\Windows\system\WXglVXj.exe
| MD5 | b584cde3d0fa851a57feb1f7e35ad454 |
| SHA1 | 97ff493f8aeb03ee647bf42187f9fe6d33f5a7ab |
| SHA256 | dcc8b3bba41d6b0b949f0256f6b96c716547e850317cf111b8d936ff1fab5803 |
| SHA512 | 78aee037621f3db2194c69fd5dba4b1043cbddf88b35144c9305b400377e12ac84950d276e67fd3a0bcebaaab515c0a1dff87893d81cac6bb0400b277cd6882d |
C:\Windows\system\WDmHKJb.exe
| MD5 | 896fcdb8a69a1cbb1e353c6c8cda9692 |
| SHA1 | 696a14e260d057eed016c51e8398227c3b4f3e92 |
| SHA256 | b006040dff88070b5f85e5a206354614a46de28a0cd7770449f47d260acc51de |
| SHA512 | cb5d57c11f5b52cb098291848aed19cb9b192c9008f1e895c659492ca9a5d00560fe1bd75bd2f8a3bf5cbe190a160d42f237d6e7ba4f2c3141d5beffa535401f |
memory/2640-56-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2464-49-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\iGaeTQX.exe
| MD5 | 3295a752719ddcf27fdcfd704e115fc1 |
| SHA1 | 3a92c6cdf23dfb84c02aeda19f4d2b560d5108ab |
| SHA256 | 2bc3f692844d22c85b7c64dd22bf9f44e66ed1e0a5f5a4f7ae6f8478c231e601 |
| SHA512 | d6ad71d799218de6a5e158d9236db3cd4cc4724dd8b13fc964833cb9b7ec20ef3d5fb49e0f572e9b7f245cf70741888ecde026d3d4bbd8152034a74c41084608 |
memory/2600-71-0x000000013F130000-0x000000013F484000-memory.dmp
memory/1580-72-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/1740-73-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2416-62-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/3000-61-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1580-70-0x000000013F130000-0x000000013F484000-memory.dmp
C:\Windows\system\mOZXdYD.exe
| MD5 | 3855c22650bce5b422d798ce8b67167b |
| SHA1 | 65f289d04442aea76e6512f440d8b854cecc739c |
| SHA256 | 52da53b013b7899dc5b18f480b86f286adeefe5dca30d05a2bf1dbcb7739c997 |
| SHA512 | 663622c50821f205303a8a0a076eceab4ab89b4d34193252368e943a7fd8778af49239e2291f25f635d1a0704f6d0eaaf6ba8cf13fce438888ea21ae7be38b2e |
memory/1580-55-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1580-48-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1580-45-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/1580-40-0x000000013FC90000-0x000000013FFE4000-memory.dmp
C:\Windows\system\vGtgAiN.exe
| MD5 | 9f13cbff13012725c3d0239b157afc70 |
| SHA1 | a49e88c7964d5e93e65e8612999a86d083fab7e3 |
| SHA256 | a6a2c7ebe8755d463825b7ca4573fe9819b2606735c09e1a3692af3aeaf4737b |
| SHA512 | d5427cad24ecf0d985ce649197f2cb87b693f4816a82b2fe3e52fae4dba497de85daea2f79acfed06a3d72e9584b04240bfc809932b1b9dc205ff3d4e249fd93 |
C:\Windows\system\ROVkpKD.exe
| MD5 | 9e2082ef7da612dff68b182b50af35a1 |
| SHA1 | 69792df1e137958b2b5f4adfff726ca8ca0465c2 |
| SHA256 | b5c972fac2bdc50734b3eb7bae20f92caa4e758bc2fe469fffa6b1aa4a22f287 |
| SHA512 | 5e05d32a0c775f1032beb0913d1b3fefbc81f9bda0d7cee6d54330ae2a006b3e904b135f93fcbb1fe2ef76b67fbe023948802cbd72022e315cbc1a337d81714f |
memory/1580-100-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/1580-101-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2540-103-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/748-102-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2976-98-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\uqSVDvA.exe
| MD5 | 55f65189ebe8a338a8f855a70954e27a |
| SHA1 | 5aac3e98845999bbe62480975585c29e4a4e0eae |
| SHA256 | 597ec4956eb15981775afb9487d0f087aadbff3d2f487ed991c620a21327276d |
| SHA512 | 3243ad639c60be7d4114bc20afaf8b1d8b1be6627de57ca6c4cae5014bf810e881ed73f10e84784f0e16bcf7a193187a5656fc92124cda6c82f1a4c9c6209a6a |
C:\Windows\system\MPFmyzS.exe
| MD5 | d5e78bcbcb870a39fbe1c53311ecef62 |
| SHA1 | e659648de410c48d8daa810175db617d3f255c31 |
| SHA256 | 3e671f7be7f477ef006ea73d67366b6f3d5766aa7e448079ad712d2f7f517700 |
| SHA512 | c63f92e121c463239c5b256d3cc45ad507f7aea0a89731761d87f673e7cc00d65d54a17197c4a6f8f02fd3bb7c857d8f0b1d5e681120a65b5026a7cef4c9a3fc |
memory/1580-86-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1580-94-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/864-93-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2132-89-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2712-82-0x000000013FA20000-0x000000013FD74000-memory.dmp
C:\Windows\system\xxAPyyP.exe
| MD5 | 07c93d43525bf2a6123dc8649b2257cc |
| SHA1 | b8e60b866dec2b1cd7e80eb6b86886175e316da8 |
| SHA256 | cfd249bfbe9feb7f565b0e4ba30950c2ed5b62881447048def2cbdcda2b62a22 |
| SHA512 | f2c1b718772d0d8940e2c9e1b2a5f8c3310fa5e8c6ccff889e62a4b7bc751f885488e826f01ef6ca4d821ed473bdc5eaec89771332d2df292f5f3bf82a50b674 |
\Windows\system\jzpsZMj.exe
| MD5 | 3bc17da7935db3a304077db51d2e6d24 |
| SHA1 | 67fc2cbfcca45b31b395e17d490a053481834477 |
| SHA256 | 2179b463fc93b4977f7da160fe46a259ec0ea6cedc2b0f05096a30a02645097f |
| SHA512 | f9b635894c1ccf6b5471798ec5b9daedd6a82685653c185fc7e7d09734a0d7990cf9d48132b3f57ff2319827670bbd2f1370e315e240b754f9b57b1175fd0a92 |
C:\Windows\system\tTKXdnl.exe
| MD5 | a839b463211242fe9a1bb073affb17f4 |
| SHA1 | 78f6c63251b8e13247ca4057b0816ce26351c309 |
| SHA256 | fc8c4fc0ac6d180adb9d60c416e92b4dee134b8be9b2f144320a716e07a4ca31 |
| SHA512 | 618aa76860b84dd0bb45700411d907cbcd170d26f7d3fbc2beea0f4d456040036191f9568dd14bf4e926753840c1b6e6ead738aee48041bcdbf16f53482249ed |
C:\Windows\system\IbYGGZb.exe
| MD5 | d7c91c7c626c692a551e5d0da738351f |
| SHA1 | 341ed7aa770dfc127c0706c4cd4b3a9ef73b9556 |
| SHA256 | 5cbfc5f77b56430963eb06039823c61432509dd0ec089894143adfba5a25f1e6 |
| SHA512 | f71393fc0c52ad1af3f87f5735e73d70d981485c0a41b9bf2d0b8d02f6c2b7fac377ee43da5a7320d09710739c2e1da981db26566cb2ea314c3aa6b087751233 |
C:\Windows\system\uTeqCvi.exe
| MD5 | b2d8f8717ede6c88b731c3c7dcbebe34 |
| SHA1 | 792b9bb40ea94d88d2ebe14f24d07bce5bb0307c |
| SHA256 | 0cc5f20cf7f1f95bd995e3f43ab208d53d5f7abcbe9ccbcd65c103359a309628 |
| SHA512 | 6884ac6c58f141097f352db423d9a41456a90872901e533f9a971f9c3de6d99ff883ddfd1f8c4a85edb6a0b7a5d2de4e659adfa2f9f45eeb79506c58dce4caca |
C:\Windows\system\XWwwaPG.exe
| MD5 | 891b2bc4b25a2d7f38c0827eab76ff96 |
| SHA1 | efbb3aca45f47938d5b50eb9412f1cf28daa0392 |
| SHA256 | 72e7ad7a5ba04450c72f3a50bf6aa1c4a19ecaed0eade1ca522376b4ed9a1e4b |
| SHA512 | 374b1375b9b907edb50f7feff1a055883e693f215993383ed8a739da30c229b2591cabea826dff6f00d972282152430ebd0b180abae167d9c65e3a2aa5a7208f |
memory/1580-108-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\BqrjtmZ.exe
| MD5 | 1c76b5343986fb2bca6422b401db83e9 |
| SHA1 | 52259ef534d6c632978d737c6a3f6c1f9b41b4a6 |
| SHA256 | 017592a32c4a2265258f301dbeb84dff7de0e3b95a69142a54d5b6c5c49187b5 |
| SHA512 | 892a2bb8ff753d9601742fe08705302fecf699f18083e64c9762d78b52f264307555dcc84cbaca6661d958a8e59303a17933e4b1dd4550e20f5b11b1f711275e |
memory/2636-139-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2464-140-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2416-141-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/1580-142-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/1580-143-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/864-144-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1580-145-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/1580-146-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/1580-147-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/3000-148-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2600-149-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2712-150-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2588-151-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2976-152-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2636-153-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2640-154-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2464-155-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2416-157-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/1740-156-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2132-158-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/864-159-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/748-160-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2540-161-0x000000013FF10000-0x0000000140264000-memory.dmp